kpumuk
- Karma
- 68
- Created
- September 10, 2009 (16y ago)
- Submissions
- 0
Software Engineer,
https://dmytro.sh https://twitter.com/kpumuk
[ my public key: https://keybase.io/kpumuk; my proof: https://keybase.io/kpumuk/sigs/CnzojHLlNv0t5asMWsw_xGl-n17_bXSaPcLiN_GzGpo ]
Thank you for your suggestion. Not a weakness anymore :)
We have reset passwords for all affected users. Hashes that got leaked are not useful now.
Compromised != Hacked. To clarify: no accounts were accessed by the hackers, but small amount of account records have had passwords encrypted with outdated algorithm (basically SHA1 + salt), so we preemptively reset…
We use scrypt for passwords hashing. This is modern hard to crack password hashing algorithm. We do have database access logs, so it was pretty straightforward to identify which users were affected.
Definitely put spaces